OAuth Certifcate in Lync Server 2013

When requesting certificates in your Lync Server 2013 environment, you will notice that there is a new certificate type that needs to be requested, OAuthTokenIssuer. What is OAuth and what do we use it for in Lync Server 2013?

OAuth (Open Authorization) is a protocol for server-to-server authentication and authorization. With OAuth, user credentials and passwords are not passed from one computer to another. Instead, authentication and authorization is based on the exchange of security tokens; these tokens grant access to a specific set of resources for a specific amount of time. Lync Server 2013 supports three server-to-server authentication scenarios. With Lync Server 2013 you can:

As you complete the request for the OAuthTokenIssuer certificate and view the certificate, you'll see that it looks something similar to:

One important thing to note about the OAuthTokenIssuer certificate, that is different from other certificates in Lync Server 2013, is that the OAuthTokenIssuer certificate is a global certificate:

So what does that mean? It means that the same OAuthTokenIssuer certificate needs to be used by all of the Lync Server 2013 servers. In order to assure this, when you assign this certificate, it is replicated via the CMS and is assigned to all of the Lync Server 2013 servers that require OAuth. If you look in the directory where the Lync Server 2013 logs are stored (C:\Users\<username>\AppData\Local\Temp), you will see a log file similar to:

ReplicateCMSCertificates-[2012_07_31][11_49_20].html

If you open that log file it will look something similar to:

If you wait for replication to succeed and then look at another Lync Server 2013 server, you will see that the OAuthTokenIssuer certificate has been replicated and assigned to that server:

So what happens if I request an OAuthTokenIssuer certificate on multiple servers? In that case whichever certificate is replicated to the CMS last will be used by all of the Lync Server 2013 servers.

So when requesting the OAuthTokenIssuer certificate in Lync Server 2013, remember to only request it once and sit back and let CMS replication take care of the rest!

You can use an internal CA if you have one available. The certificate only needs to be trusted by internal servers, so purchasing a certificate if you have an internal CA available would be unnecessary.

I do have two questions:– Does the OAuth-Certificate has to be signed by a “valid” CA (like a Cert for https://)?– If it’s possible to self-sign the OAuth-Certificate – do I need to have the Windows-Certificate-Services installed on my Domain?

Can you use the same cert that is used for the Default Certificate? If not, when I go through the wizard to create a new OAuth cert, it automatically just populates it with the entry “domain.com” instead of a full name. Is that what it is supposed to do?

I had before 2 front end servers running Lync 2010 and 2013 with exchange 2010.
removed the 2010 lync front end server.
my 0auth cert expired last week and I can not install the oauth cert get an error. is it because I have only 1 front end server, and or my exchange is 2010?

Good article, thanks – once the oauth certificate is assigned (to a single front end server) and automatically replicated to the remaining front end servers via CMS do any SfB services need to be restarted on the front end servers for the renewal to take effect?
Also, in general, do SfB services need to be restarted when renewing front end\edge server pool certificates?

I have two questions and if you dont mind would be great if you can drop a comment on those.
We are using a different sip domain than mail domain, when requesting the oAuth cert should we add the mail domain as a SAN name, or is this not related?
Do you know if the cert is replicated between lync frontend pools as well?